Author: Eric Larchevêque 2014-04-04 13:47:45
Published on: 2014-04-04T13:47:45+00:00
The proposed protocol of using a Bitcoin address repeatedly is a flaw that needs to be corrected. It may make sense sometimes, like in the case of a mining pool app, but it is better to move away from this practice. Using a bitcoin address as a persistent identity key also feels like the wrong direction. Instead, better options such as client certificates or Steve Gibson's proposed SQRL system can be used. If one of these systems becomes successful and gains critical mass, it would make sense to specify a standard way of using a HD wallet's deterministic seed to derive a key used for FIDO or SQRL systems. However, the system that would get critical mass is the one which would be implemented into major Bitcoin wallets. Eric Larchevêque suggests having a very simple way of authenticating yourself with one Bitcoin address from your wallet. The UX is clear and simple: click on "connect with Bitcoin," flash the QR code with your wallet, accept the authentication request, and the user is autologged and identified by the chosen Bitcoin public address. This approach makes sense only if major wallets are supporting the protocol. If you need to install a plugin or download a third party software, no one will do it. Bitcoin and website authentication are unrelated problems, according to Mike Hearn. The problem Eric is trying to solve is already solved by SSL client certificates. Reusing bits of infrastructure could help, but overall, Bitcoin and website authentication are unrelated problems. Classical password authentication is an insecure process that could be solved with public key cryptography. Managing private keys securely is complex, but this complexity is already being addressed in the Bitcoin ecosystem. Eric Larchevêque has written a draft BIP description of an authentication protocol based on Bitcoin public address. By authentication, he means proving to a service/application that you control a specific Bitcoin address by signing a challenge, and that all related data and settings may be securely linked to your session. The aim is to facilitate sign-ups and logins to services and applications, improving the Bitcoin ecosystem as a whole. However, classical password authentication is an insecure process and could be solved with public key cryptography. The complexity of managing private keys securely is already being addressed in the Bitcoin ecosystem.
Updated on: 2023-06-08T18:25:07.199257+00:00